[rt-users] 3.8.x serious security issue with mixing sessions [SOLVED I think!]

Jesse Vincent jesse at bestpractical.com
Mon Nov 2 14:19:46 EST 2009



> Cache: no-cache but that will prevent caching at all. Seem to be no way to 
> prevent caching cookies from application side.

What's the current state of browser in-memory/on-disk caching with the
Cache: no-cache header?

The attached patch against 3.8.6 might be the right solution for you. I'd
consider making this change to RT if you can report back and tell me if
it does the right thing for you:

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index b82b638..dccf829 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -279,7 +279,6 @@ sub MaybeShowNoAuthPage {
     return unless $m->base_comp->path =~ RT->Config->Get('WebNoAuthRegex');
 
     # If it's a noauth file, don't ask for auth.
-    SendSessionCookie();
     $m->comp( { base_comp => $m->request_comp }, $m->fetch_next, %$ARGS );
     $m->abort;
 }




More information about the rt-users mailing list